/*Copyright 2014 Rajesh Putta

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
 * 
 */

package com.codesnippets4all.xss.filters;

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import com.codesnippets4all.xss.config.handlers.XSSConfigHandler;
import com.codesnippets4all.xss.request.XSSAttacksPreventionRequestWrapper;

/**
 * This code demonstrates how to prevent any web application from possible XSS
 * attacks
 * 
 * this filter just take the control of every request hitting your web
 * application and then take the help of Request Wrapper instance to avoid
 * possible XSS attacks through script injections, etc
 * 
 * This filter to be the first component configured in your web application
 */

public class XSSAttacksPreventionFilter implements Filter {

	private static String action = "cleanup";
	private static String configPath="config";

	public XSSAttacksPreventionFilter() {
	}

	public void destroy() {
	}

	public void doFilter(ServletRequest request, ServletResponse response,
			FilterChain chain) throws IOException, ServletException {

		XSSAttacksPreventionRequestWrapper req = new XSSAttacksPreventionRequestWrapper(
				(HttpServletRequest) request);
		req.setAttackAction(action);
		req.setResponse((HttpServletResponse) response);

		chain.doFilter(req, response);
	}

	public void init(FilterConfig fConfig) throws ServletException {
		// following parameter to be configured in web.xml to mention whether in
		// case of any attack what action to be taken
		/*
		 * possible actions are
		 * 
		 * 1. clean up the pattern text matched from request headers or
		 * parameters
		 * 
		 * 2. throw back the sorry page to the client, sorry page relative URL
		 * pattern to be configured in web.xml under attackAction
		 * 
		 * 
		 * <init-param> <param-name>attackAction</param-name>
		 * <param-value>cleanup</param-value> </init-param>
		 * 
		 * (or)
		 * 
		 * <init-param> <param-name>attackAction</param-name>
		 * <param-value>/html/sorry.html</param-value> </init-param>
		 * 
		 * 
		 * defaults to clean up the parameters/headers values
		 */
		action = fConfig.getInitParameter("attackAction");
		
		configPath = fConfig.getInitParameter("config");
		
		// instantiate XSSConfigHandler to load xss-config.xml with all the
		// request parameters and patterns
		XSSConfigHandler configHandler=XSSConfigHandler.getInstance();
		
		if(configPath!=null && !configPath.trim().equals(""))
		{
			configHandler.setConfigFile(configPath);
		}
		
		// initialize config handler with configured xss configuration file
		configHandler.initialize();
		
	}

}